Why TeamPCP’s Russian Roulette Module is a False Flag
Prologue
After Antiy released “Sandstorm-style Poisoning Targeting Developer Tool Supply Chains– Sample, Technical and Tactical Analysis of TeamPCP Organizations (Part 1)”, some experts in the industry communicated with us, and the other party paid special attention to a special design in the malicious samples of TeamPCP organization: there is a code with a built-in “roulette” module, which will trigger a 1/6 random probability to clear the system based on a prerequisite of “is_israeli_System()” for the Middle East (Israel). In addition, the sample also sets a geofencing for the Russian system, checks the LANG environment variables, and exits directly starting with “ru” (Russian). Including the appearance of Russian legends such as Koschei the Deathless and BABA-YAGA, as well as Slavic cultural symbols in the code. The relevant experts have proposed a scenario to support the judgment that TeamPCP comes from the Russian cultural circle or related geopolitical security background. Antiy CERT has analyzed the relevant clues, but we believe it is an obvious false flag trap.
There is no clear consensus in the industry regarding the traceability issue of TeamPCP. Antiy also conducted a special analysis. Due to its large scale of poisoning, it contaminated over 2100 software packages and invaded 5561 GitHub repositories in this attack wave. We extracted various traditional traceability beacons from the sample, and after aggregation, it is evident that there are a large number of complex geographical, cultural, and religious features in the organization’s sample beacons, many of which have distinct characteristics of introducing interference terms. There are complex conflicts of interest among the “associated” geo-stakeholders of the corresponding elements. Even the “roulette” corresponding sample, which actually is_israeli_system() function logic is not only for the Israeli attack, but also takes the Iranian system as the attack condition. Therefore, Antiy CERT tends to think that the attacker has abandoned the traditional anti-traceability idea of “de-tracing”, but has actively introduced various elements to pile up clues related to multi-party conflicts and point to geo-security hot spots, thus completely failing the traditional beacon attribution traceability mechanism.
1.False Flag Attack: Identity Game in Network Traceability
1.1 A special setting: “Roulette” in the sample
The “roulette” module in the TeamPCP incident has sparked controversy over multiple sources due to its inclusion of special geopolitical and cultural clues. Through domain wide homology comparison and link analysis, it has been confirmed that this module is the exclusive attack payload of TeamPCP organization. The determination is based on four dimensions of rigid correlation: the module adopts the supply chain delivery method of the organization for the software package ecosystem; the core goal of stealing tokens and API keys is consistent with the organization’s history; reuse the organization’s commonly used “GitHub repository description text” covert external transmission channel; tts leading payload is directly associated with the organizational history C2 server. This module is integrated into the batch sample system of this event, and its TTP characteristics are highly consistent with TeamPCP. Regarding the naming with geographical implications appearing in the module, analysis suggests that this is more likely a false flag operation aimed at confusing the public, and its interference intention is more obvious compared to the clear direction of the underlying technical evidence chain. This technical anchor provides a reliable foundation for subsequent attribution analysis.
Roulette (roulette.py) is a module written for the Python language. The logic of this module is very simple: generate a random number from 1 to 6 through random.randint(1,6), and when the result is 6 (about 16.7 percent probability), trigger the rrm-rf /* full disk system erase command, while playing an audio file called “RunForCover.mp3” at maximum volume.
Figure 1-1 Description of the roulette function module in the code
(Generated by Antiy AVL Code AI Agent based on the Virus Inspection Large Language Model (VILLM))
In the AVL Code AI Agent sample analysis, the module is automatically labeled with “roulette” and conditional self-destruction persistence labels. In the functional architecture, parallel modules include AWS credential harvesting, Azure Key Vault theft, GCP Secret Manager theft, K8s Secrets theft, etc. This means that “roulette” is at the same architectural level as the normal credential theft function and is a deliberately designed functional component, rather than code accidents or debugging residues.
Figure 1-2 Overall architecture of malware and functional description of roulette. py destruction module
(Generated by Antiy AVL Code AI Agent based on the VILLM)
The code logic for “roulette” is as follows:
Figure 1-3 “Roulette” condition trigger logic source code
(Generated by Antiy AVL Code AI Agent based on the VILLM)
This short code infuses a very strong geopolitical color:
- “random.randint” (1, 6) – The use of clues in probability design.
The attacker triggers the destruction of the system with a probability of 1/6. This sabotage is in strong conflict with the basic operation mode of the TeamPCP. The basic operation mode of the TeamPCP is based on obtaining vouchers to obtain benefits. Logically, only by achieving persistent survival can the continuous acquisition ability of vouchers be continuously guaranteed, and the implementation of the sabotage itself will affect the benefits. However, the geographical scope of its damage is very small, and a probability is set. In fact, the global number of effects is not high. We prefer this function to be a deliberate “clue”, using the metaphor of “roulette” to guide the direction of tracing the source, thus directing attribution attention to “Russia”.
- “is_israeli_system()” – the naming and function of the directed episode detection is inconsistent
Figure 1-4 is_israeli_system() function code
(Generated by Antiy AVL Code AI Agent based on the VILLM)
The function is called is_israeli_system(), which seems to only point to the Israeli system, but actually detects both Iran and Israel. State-level attackers rarely make such low-level mistakes, more like deliberately using naming to mislead analysts and reinforce geo-associations. The move may also be intended to sow discord between Russia and Iran, as well as the fragile relationship between Russia and Israel, and weaken the willingness of the parties to cooperate by creating the suspicion that “someone in the other camp is also attacking you.
- “play_at_full_volume(” RunForCover.mp3 “)” – performance features of audio playback
The malware will play a horror sound effect at the maximum volume for 48 seconds before deleting the disc. This kind of behavior has no actual value and is purely performance. Its only function is to create dramatic labels, further interfere with attribution narration, or create hot spots.
The audio file name “RunForCover” is a common English phrase that appears frequently in news reports and military scenes. It is more consistent with its horror sound, making it difficult to provide attribution support.
“subprocess ([” rm “, “-rf “, “/* “])” is a signature destructive command in the attack payload. It chooses the well-known “destroy command” in Unix/Linux system, which can realize the purpose of data deletion and system destruction most directly and thoroughly. In the analysis, this highly readable code became a key clue to rapid research because of its clear maliciousness and strong indication that the attacker has entered the final stage of destruction.
On the whole, the design logic of the “roulette” module can be summarized as minimizing the “value” of functionality and maximizing the interference of “clues”. It is not designed to effectively accomplish destructive tasks, but to be discovered, named, analyzed, and disseminated by security researchers. ——Not hiding, but deliberately exposing interference.
1.2 In-depth analysis: more clues and contradictions emerge
AVL Code’s analysis of more geopolitical clues in TeamPCP samples reveals more deliberately stacked evidence:
Figure 1-5 Analysis of language features and traceability clues of GitHub repository description string PUSH UR T3MPRR
(Generated by Antiy AVL Code AI Agent based on the VILLM)
The GitHub repository description string “PUSH UR T3MPRR” presents multiple linguistic features through network abbreviations and non-standard Leet Speak spelling: UR is a common network abbreviation, while the double R ending of T3MPRR is not a standard English Leet Speak usage, which is more in line with the Latin spelling habit of Russian native speakers for the word temper (Russian is translated into темпер). However, the custom does not distinguish between Russian or Ukrainian subjects.
Figure 1-6 Analysis of abnormal spelling and non-native language features of Russian cultural lexicon
(Generated by Antiy AVL Code AI Agent based on the VILLM)
Anomalies in the Russian cultural lexicon -28 out of 30 words are explicit elements of Russian folklore/fairy tales (corresponding to the Latin transliteration of BABA-YAGA, KOSCHEI, LESHY, RUSALKA, SAMOVAR in Russian), but there are two obvious anomalies:
- “RICHARD”: not a Russian word, not a Slavic word, not a Russian folklore, but an English name
- “FIREBIRD”: The English translation is used instead of the corresponding Russian Latin transcription “Zharptitsa”.
Figure 1-7 Language and naming feature analysis of file name RunForCover.mp3
(Generated by Antiy AVL Code AI Agent based on the VILLM)
We are therefore more inclined to think that this is a deliberately constructed interference term.
2.Summary of Multi-dimensional Geopolitical Clue Traceability Analysis
Based on the automated analysis of Antiy AVL Code, the observable geopolitical clues in the TeamPCP malware samples exhibit an abnormally dense distribution. The objective text features extracted by AVL Code from three dimensions of repository description spelling, cultural vocabulary library, and file naming show that GitHub repository descriptions have non-standard spelling forms; the vocabulary library used by the attacker contains a large number of Eastern European Russian folk cultural elements, mixed with English vocabulary, and there is a phenomenon of language mixing; the audio files are named with English camel humps, presenting differentiated language usage habits.
Further combing through a number of observable technical clues such as domain names, system logos, language features, ideological trigger rules, etc., and labeling each clue as four types of attributes: pointing to the Russian side, pointing to the Ukrainian side, a third-party false flag, and no discrimination, you will see its contradictions and conflicts:
Figure 2-1 Matrix analysis of geopolitical elements
(Generated by Antiy AVL Code AI Agent based on the VILLM)
The above attribution conclusions begin to be challenged when we expand our horizons from the “roulette” sample to the overall attack portrait of the TeamPCP organization.
The table combs the multi-dimensional geopolitical clues of TeamPCP organization, which show obvious contradictory and multi-directional characteristics.
| Direction | Description | Detailed Information |
| Point to the Russian side | Russian Culture Thesaurus | 29 of the 30 words in the Russian cultural thesaurus are explicit elements of Russian folklore/fairy tales (Latin transliterations of BABA-YAGA, KOSCHEI, LESHY, RUSALKA, and SAMOVAR in Russian), which are highly recognizable cultural symbols in the Russian circle; |
| Pointing to the Russian side | Slavic Beacon String | The attacker embeds characteristic characters in the code as a deliberate traceability identifier, and implants Slavic-style characteristic strings, which are m-kosche.com using Slavic language domain names, |
| Pointing to the Russian side | Russian System Exemption | When a malicious program detects that the system language/region is Russian, it stops executing malicious behavior, which is a typical camp tendency feature. |
| Point to Ukraine | Directional eraser (wiper) function | The team added data destruction modules for Iran and Israel to the malicious code. Russia and Iran have antagonistic relations at the geopolitical level, and the sabotage of these two parties will lead the tracers to associate the identity of the organization to the hostile forces in Russia. |
| Point to third parties | Domain Name Registration Information | WHOIS records for m-kosche.com domain name show that the domain name is registered by the U.S. domain name registrar Namecheap. |
| Point to third parties | File naming convention | The audio files in the GitHub repository are named in English. |
| Point to third parties | Text language features | The GitHub repository description has non-standard spelling, and the overall writing conforms to the language characteristics of non-native English speakers. |
Based on the comprehensive analysis of global sample characteristics, triggering mechanisms, and massive diffusion scale, TeamPCP relies on an open source ecosystem to achieve a wide range of poisoning. Its malicious logic is automatically triggered by developers during compilation, deployment, and CI/CD processes, affecting a large number of downstream enterprises and development environments. This indiscriminate and scalable broad-spectrum diffusion mode, combined with the non tactical design of random probability destruction in “roulette”, is different from the precise, controllable, and strategic attack characteristics of geopolitical APTs. The organization takes large-scale voucher theft and black property realization as its only goal, and deliberately piles up all kinds of contradictory geopolitical symbols and performance attack functions. It is a typical systematic false flag disguise operation, and cultural clues have no attribution reference value.
3.Summary
Based on the comprehensive analysis of the characteristics of the global sample, attack behavior patterns, and operational objectives, TeamPCP, as a new type of supply chain black and grey production organization that emerged by the end of 2025, has a core demand for large-scale “Sandstorm-style” batch poisoning, stealing development ecological certificates, and building upstream resource pools for black production. The overall operational orientation is centered on commercial benefits, without clear geopolitical demands. The organization deliberately piled up Russian cultural symbols, regional markers, and opposing geopolitical clues in the sample, and created multi-dimensional traceability contradictions through performance code functions such as “roulette” that have no practical value and only have the effect of dissemination and attribution guidance. This fully conforms to the mature and systematic characteristics of false flag operations, and its surface geopolitical clues are all controllable forgery interference items, without any attribution credibility.
This incident focused on exposing the core changes of network traceability attack and defense in the AI era: relying on large models and RAG capabilities, the network security industry has accumulated long-term gang characteristics, cultural beacons, traceability methodology, geopolitical identification system and other professional knowledge, can be used by attackers to achieve zero threshold, low-cost reverse use. The false flag misdirection that APT can achieve in the past is to bring attribution misdirection. But TeamPCP deliberately create attribution confusion. In the future, the vast majority of attack codes and payloads will almost certainly be written by AI. Threat traceability needs to find a new anchor point in the era of human-machine (AI) cooperation.
[Note]: The overall analysis, malicious sample analysis and geopolitical background analysis of this report, relying on the Antiy AVL Code AI Agent and integrating with VILLM to assist in the analysis work. The relevant results are annotated and cited in the form of screenshots. All model assisted output content has been manually reviewed, double checked, and proofread.
Appendix: Reference
Based on Antiy AVL Code automated analysis results and public threat intelligence comprehensive research, the core material sources include:
[1] Cloud Security Alliance – Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain Attack (2026-05-23). https://labs.cloudsecurityalliance.org/research/csa-research-note-shai-hulud-megalodon-supply-chain-cascade/
[2] SafeDep – Megalodon: Mass GitHub Repo Backdooring via CI Workflows (2026-05-18). https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows
[3] Palo Alto Networks Unit 42 – The npm Threat Landscape (Updated 2026-05-21). https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
[4] Microsoft Security Blog – Mini Shai Hulud: Compromised @antv npm packages (2026-05-21). https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
[5] Vectra.ai – Shai-Hulud Part 2: When the Worm Forged Its Own Security Certificate (2026-05-13). https://wwwvectra.ai/blog/shai-hulud-part-2-when-the-worm-forged-its-own-security-certificate
[6] Infosecurity Magazine – GitHub Confirms Breach of Internal Repositories (2026-05-21). https://www.infosecurity-magazine.com/news/github-confirms-breach-vs-code/
[7] Sandstorm-style Poisoning Targeting Developer Tool Supply Chains — Sample, Technical and Tactical Analysis of TeamPCP Organizations (Part 1) (2026-05-27).